1470701 – Switching from Targeted to MLS shows "denied" AVCs after reboot

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1470701 - Switching from Targeted to MLS shows "denied" AVCs after reboot

Summary: Switching from Targeted to MLS shows "denied" AVCs after reboot

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	7.3
Hardware:	Unspecified
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	rc
Target Release:	---
Assignee:	Lukas Vrabec
QA Contact:	Milos Malik
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2017-07-13 13:38 UTC by Renaud Métrich
Modified:	2018-04-10 12:36 UTC (History)
CC List:	7 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2018-04-10 12:34:36 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2018:0763	0	None	None	None	2018-04-10 12:36:05 UTC

Description Renaud Métrich 2017-07-13 13:38:26 UTC

Description of problem:

After a fresh minimal installation of RHEL7.3 using the DVD, then updating to latest updates,
I followed strictly the documentation to switch from Targeted policy to MLS (https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/SELinux_Users_and_Administrators_Guide/mls.html).
After reboot, relabelling occurred but some "denied" AVCs are shown in the audit log.

Version-Release number of selected component (if applicable):

selinux-policy-3.13.1-102.el7_3.16.noarch
selinux-policy-mls-3.13.1-102.el7_3.16.noarch


How reproducible:

Always

Steps to Reproduce:
1. Install a VM using RHEL7.3 DVD
2. (Optional) Update
3. Have the journal be persistent:
    mkdir /var/log/journal
    systemctl restart systemd-journald.service
4. Follow the doc to switch to MLS

Actual results:

During relabelling, some contexts are invalid:

Jul 13 15:27:39 vm-mls kernel: SELinux:  Context unconfined_u:object_r:cert_t:s0 is not valid (left unmapped).
Jul 13 15:27:39 vm-mls kernel: SELinux:  Context unconfined_u:object_r:selinux_config_t:s0 is not valid (left unmapped
Jul 13 15:27:39 vm-mls kernel: SELinux:  Context unconfined_u:object_r:semanage_store_t:s0 is not valid (left unmapped
Jul 13 15:27:39 vm-mls kernel: SELinux:  Context unconfined_u:object_r:file_context_t:s0 is not valid (left unmapped).
Jul 13 15:27:39 vm-mls kernel: SELinux:  Context unconfined_u:object_r:system_conf_t:s0 is not valid (left unmapped).
Jul 13 15:27:39 vm-mls kernel: SELinux:  Context unconfined_u:object_r:bin_t:s0 is not valid (left unmapped).
Jul 13 15:27:39 vm-mls kernel: SELinux:  Context system_u:object_r:rhnsd_conf_t:s0 is not valid (left unmapped).
Jul 13 15:27:39 vm-mls kernel: SELinux:  Context unconfined_u:object_r:etc_t:s0 is not valid (left unmapped).
Jul 13 15:27:39 vm-mls kernel: SELinux:  Context unconfined_u:object_r:admin_home_t:s0 is not valid (left unmapped).
Jul 13 15:27:39 vm-mls kernel: SELinux:  Context unconfined_u:object_r:home_cert_t:s0 is not valid (left unmapped).
Jul 13 15:27:39 vm-mls kernel: SELinux:  Context system_u:object_r:rhsmcertd_var_lib_t:s0 is not valid (left unmapped)
Jul 13 15:27:39 vm-mls kernel: SELinux:  Context system_u:object_r:authconfig_var_lib_t:s0 is not valid (left unmapped
Jul 13 15:27:40 vm-mls kernel: SELinux:  Context unconfined_u:object_r:init_var_lib_t:s0 is not valid (left unmapped).
Jul 13 15:27:40 vm-mls kernel: SELinux:  Context unconfined_u:object_r:rhsmcertd_var_lib_t:s0 is not valid (left unmap
Jul 13 15:27:40 vm-mls kernel: SELinux:  Context system_u:object_r:rhsmcertd_log_t:s0 is not valid (left unmapped).
Jul 13 15:27:40 vm-mls kernel: SELinux:  Context unconfined_u:object_r:rpm_log_t:s0 is not valid (left unmapped).
Jul 13 15:27:40 vm-mls kernel: SELinux:  Context unconfined_u:object_r:rhsmcertd_log_t:s0 is not valid (left unmapped)
Jul 13 15:27:40 vm-mls kernel: SELinux:  Context unconfined_u:object_r:ldconfig_cache_t:s0 is not valid (left unmapped
Jul 13 15:27:40 vm-mls kernel: SELinux:  Context unconfined_u:object_r:rpm_var_cache_t:s0 is not valid (left unmapped)
Jul 13 15:27:40 vm-mls kernel: SELinux:  Context unconfined_u:object_r:mail_spool_t:s0 is not valid (left unmapped).
Jul 13 15:27:40 vm-mls kernel: SELinux:  Context system_u:object_r:abrt_var_cache_t:s0 is not valid (left unmapped).
Jul 13 15:27:40 vm-mls kernel: SELinux:  Context system_u:object_r:vlock_exec_t:s0 is not valid (left unmapped).
Jul 13 15:27:40 vm-mls kernel: SELinux:  Context system_u:object_r:rhsmcertd_exec_t:s0 is not valid (left unmapped).
Jul 13 15:27:40 vm-mls kernel: SELinux:  Context system_u:object_r:rhnsd_exec_t:s0 is not valid (left unmapped).
Jul 13 15:27:40 vm-mls kernel: SELinux:  Context system_u:object_r:blkmapd_exec_t:s0 is not valid (left unmapped).
Jul 13 15:27:44 vm-mls kernel: SELinux:  Context system_u:object_r:authconfig_exec_t:s0 is not valid (left unmapped).
Jul 13 15:27:45 vm-mls kernel: SELinux:  Context unconfined_u:object_r:user_home_dir_t:s0 is not valid (left unmapped)
Jul 13 15:27:45 vm-mls kernel: SELinux:  Context unconfined_u:object_r:user_home_t:s0 is not valid (left unmapped).
Jul 13 15:27:45 vm-mls kernel: SELinux:  Context unconfined_u:object_r:boot_t:s0 is not valid (left unmapped).

After complete boot, "audit2why" reports errors:

# audit2why -a
type=AVC msg=audit(1499952452.636:83): avc:  denied  { open } for  pid=659 comm="audispd" path="/etc/ld.so.cache" dev="dm-0" ino=16885169 scontext=system_u:system_r:audisp_t:s15:c0.c1023 tcontext=system_u:object_r:unlabeled_t:s15:c0.c1023 tclass=file
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1499952452.636:84): avc:  denied  { getattr } for  pid=659 comm="audispd" path="/etc/ld.so.cache" dev="dm-0" ino=16885169 scontext=system_u:system_r:audisp_t:s15:c0.c1023 tcontext=system_u:object_r:unlabeled_t:s15:c0.c1023 tclass=file
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1499952452.651:85): avc:  denied  { open } for  pid=671 comm="auditctl" path="/etc/ld.so.cache" dev="dm-0" ino=16885169 scontext=system_u:system_r:auditctl_t:s0-s15:c0.c1023 tcontext=system_u:object_r:unlabeled_t:s15:c0.c1023 tclass=file
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1499952452.651:85): avc:  denied  { read } for  pid=671 comm="auditctl" name="ld.so.cache" dev="dm-0" ino=16885169 scontext=system_u:system_r:auditctl_t:s0-s15:c0.c1023 tcontext=system_u:object_r:unlabeled_t:s15:c0.c1023 tclass=file
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1499952453.432:89): avc:  denied  { read } for  pid=563 comm="lvm" name="gconv-modules.cache" dev="dm-0" ino=50337353 scontext=system_u:system_r:lvm_t:s0-s15:c0.c1023 tcontext=system_u:object_r:unlabeled_t:s15:c0.c1023 tclass=file
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1499952453.433:90): avc:  denied  { open } for  pid=563 comm="lvm" path="/usr/lib64/gconv/gconv-modules.cache" dev="dm-0" ino=50337353 scontext=system_u:system_r:lvm_t:s0-s15:c0.c1023 tcontext=system_u:object_r:unlabeled_t:s15:c0.c1023 tclass=file
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1499952453.433:91): avc:  denied  { getattr } for  pid=563 comm="lvm" path="/usr/lib64/gconv/gconv-modules.cache" dev="dm-0" ino=50337353 scontext=system_u:system_r:lvm_t:s0-s15:c0.c1023 tcontext=system_u:object_r:unlabeled_t:s15:c0.c1023 tclass=file
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1499952455.281:93): avc:  denied  { getattr } for  pid=513 comm="systemd-udevd" path="/usr/lib/modules/3.10.0-514.26.2.el7.x86_64/modules.dep.bin" dev="dm-0" ino=50702474 scontext=system_u:system_r:udev_t:s0-s15:c0.c1023 tcontext=system_u:object_r:unlabeled_t:s15:c0.c1023 tclass=file
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=USER_AVC msg=audit(1499952465.825:96): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0-s15:c0.c1023 msg='avc:  denied  { reboot } for auid=n/a uid=0 gid=0 cmdline="systemctl --force reboot" scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=system_u:system_r:init_t:s0-s15:c0.c1023 tclass=system  exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1499952465.809:95): avc:  denied  { setattr } for  pid=1197 comm="cpio" name="null" dev="tmpfs" ino=18286 scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=system_u:object_r:tmpfs_t:s0 tclass=chr_file
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=USER_AVC msg=audit(1499952478.285:14): pid=654 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s15:c0.c1023 msg='avc:  denied  { contains } for  spid=1 tpid=1 scontext=system_u:system_r:init_t:s0-s15:c0.c1023 tcontext=system_u:system_r:init_t:s0-s15:c0.c1023 tclass=context  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=USER_AVC msg=audit(1499952478.285:15): pid=654 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s15:c0.c1023 msg='avc:  denied  { contains } for  spid=1 tpid=651 scontext=system_u:system_r:init_t:s0-s15:c0.c1023 tcontext=system_u:system_r:systemd_logind_t:s0-s15:c0.c1023 tclass=context  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1499952478.248:13): avc:  denied  { write } for  pid=653 comm="brandbot" name="os-release" dev="dm-0" ino=16777319 scontext=system_u:system_r:init_t:s0-s15:c0.c1023 tcontext=system_u:object_r:etc_t:s0 tclass=file
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1499952478.424:22): avc:  denied  { getopt } for  pid=672 comm="gssproxy" path="/run/gssproxy.sock" scontext=system_u:system_r:gssproxy_t:s0-s15:c0.c1023 tcontext=system_u:system_r:gssproxy_t:s15:c0.c1023 tclass=unix_stream_socket
	Was caused by:
()
#Constraint rule:

#	mlsconstrain unix_stream_socket { connect accept } ((l1 eq l2 -Fail-)  or (t1 == { system_dbusd_t inetd_t sssd_t virtd_t xserver_t } -Fail-)  and (h1 dom l2)  or (t1 == { init_t setrans_t } -Fail-)  and (t1 == virtd_t -Fail-)  and (l1 dom l2 -Fail-)  and (l1 domby h2)  or (t1 == { inetd_t initrc_t sssd_t virtd_t xdm_t } -Fail-)  and (h1 dom l2)  and (l1 domby l2)  or (t1 == { kernel_t cupsd_t system_dbusd_t init_t auditd_t audisp_t audisp_remote_t syslogd_t setrans_t } -Fail-) ); Constraint DENIED
mlsconstrain unix_stream_socket { read getattr listen accept getopt recv_msg } ((l1 dom l2 -Fail-)  or (t1 == { system_dbusd_t inetd_t sssd_t virtd_t xserver_t } -Fail-)  and (h1 dom l2)  or (t1 == { init_t setrans_t } -Fail-) ); Constraint DENIED
mlsconstrain unix_stream_socket { write setattr relabelfrom connect setopt shutdown } ((l1 eq l2 -Fail-)  or (t1 == virtd_t -Fail-)  and (l1 dom l2 -Fail-)  and (l1 domby h2)  or (t1 == { inetd_t initrc_t sssd_t virtd_t xdm_t } -Fail-)  and (h1 dom l2)  and (l1 domby l2)  or (t1 == { kernel_t cupsd_t system_dbusd_t init_t auditd_t audisp_t audisp_remote_t syslogd_t setrans_t } -Fail-)  or (t2 == { httpd_bool_t faillog_t anon_inodefs_t devtty_t kernel_t kvm_device_t null_device_t proc_numa_t ptmx_t security_t tmpfs_t tun_tap_device_t vhost_device_t zero_device_t crond_t cupsd_t cupsd_var_run_t system_dbusd_t system_dbusd_var_run_t initctl_t devlog_t syslogd_t syslogd_var_run_t setrans_t setrans_var_run_t sshd_t sssd_t sssd_var_lib_t sudo_db_t virt_log_t qemu_var_run_t xdm_t xserver_t } -Fail-) ); Constraint DENIED

#	Possible cause is the source level (s0-s15:c0.c1023) and target level (s15:c0.c1023) are different.

type=AVC msg=audit(1499952478.748:26): avc:  denied  { read } for  pid=684 comm="modprobe" path="/run/xtables.lock" dev="tmpfs" ino=14220 scontext=system_u:system_r:insmod_t:s0-s15:c0.c1023 tcontext=system_u:object_r:iptables_var_run_t:s0 tclass=file
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1499952484.416:95): avc:  denied  { getattr } for  pid=1035 comm="sysctl" path="/proc/sys/fs/protected_hardlinks" dev="proc" ino=1323 scontext=system_u:system_r:tuned_t:s0-s15:c0.c1023 tcontext=system_u:object_r:proc_security_t:s0 tclass=file
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1499952484.416:96): avc:  denied  { open } for  pid=1035 comm="sysctl" path="/proc/sys/fs/protected_hardlinks" dev="proc" ino=1323 scontext=system_u:system_r:tuned_t:s0-s15:c0.c1023 tcontext=system_u:object_r:proc_security_t:s0 tclass=file
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1499952484.416:96): avc:  denied  { write } for  pid=1035 comm="sysctl" name="protected_hardlinks" dev="proc" ino=1323 scontext=system_u:system_r:tuned_t:s0-s15:c0.c1023 tcontext=system_u:object_r:proc_security_t:s0 tclass=file
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1499952488.579:115): avc:  denied  { dyntransition } for  pid=1086 comm="sshd" scontext=system_u:system_r:sshd_t:s0-s15:c0.c1023 tcontext=root:sysadm_r:sysadm_t:s0 tclass=process
	Was caused by:
	The boolean ssh_sysadm_login was set incorrectly. 
	Description:
	Allow ssh to sysadm login

	Allow access by executing:
	# setsebool -P ssh_sysadm_login 1
type=AVC msg=audit(1499952604.360:124): avc:  denied  { name_connect } for  pid=1173 comm="rhsmcertd-worke" dest=443 scontext=system_u:system_r:init_t:s0-s15:c0.c1023 tcontext=system_u:object_r:http_port_t:s0 tclass=tcp_socket
	Was caused by:
	The boolean nis_enabled was set incorrectly. 
	Description:
	Allow nis to enabled

	Allow access by executing:
	# setsebool -P nis_enabled 1
type=AVC msg=audit(1499952609.767:125): avc:  denied  { name_connect } for  pid=1175 comm="rhsmcertd-worke" dest=443 scontext=system_u:system_r:init_t:s0-s15:c0.c1023 tcontext=system_u:object_r:http_port_t:s0 tclass=tcp_socket
	Was caused by:
	The boolean nis_enabled was set incorrectly. 
	Description:
	Allow nis to enabled

	Allow access by executing:
	# setsebool -P nis_enabled 1
type=AVC msg=audit(1499952619.668:126): avc:  denied  { getattr } for  pid=1187 comm="virt-what" path="/usr/sbin/dmidecode" dev="dm-0" ino=233086 scontext=system_u:system_r:init_t:s0-s15:c0.c1023 tcontext=system_u:object_r:dmidecode_exec_t:s0 tclass=file
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1499952619.668:127): avc:  denied  { execute } for  pid=1187 comm="virt-what" name="dmidecode" dev="dm-0" ino=233086 scontext=system_u:system_r:init_t:s0-s15:c0.c1023 tcontext=system_u:object_r:dmidecode_exec_t:s0 tclass=file
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1499952619.668:128): avc:  denied  { read } for  pid=1187 comm="virt-what" name="dmidecode" dev="dm-0" ino=233086 scontext=system_u:system_r:init_t:s0-s15:c0.c1023 tcontext=system_u:object_r:dmidecode_exec_t:s0 tclass=file
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1499952619.668:129): avc:  denied  { execute_no_trans } for  pid=1188 comm="virt-what" path="/usr/sbin/dmidecode" dev="dm-0" ino=233086 scontext=system_u:system_r:init_t:s0-s15:c0.c1023 tcontext=system_u:object_r:dmidecode_exec_t:s0 tclass=file
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1499952619.668:129): avc:  denied  { open } for  pid=1188 comm="virt-what" path="/usr/sbin/dmidecode" dev="dm-0" ino=233086 scontext=system_u:system_r:init_t:s0-s15:c0.c1023 tcontext=system_u:object_r:dmidecode_exec_t:s0 tclass=file
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1499952619.700:130): avc:  denied  { open } for  pid=1175 comm="rhsmcertd-worke" path="/var/lib/rpm/.dbenv.lock" dev="dm-0" ino=16777291 scontext=system_u:system_r:init_t:s0-s15:c0.c1023 tcontext=system_u:object_r:rpm_var_lib_t:s0 tclass=file
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1499952619.700:131): avc:  denied  { create } for  pid=1175 comm="rhsmcertd-worke" name="__db.001" scontext=system_u:system_r:init_t:s0-s15:c0.c1023 tcontext=system_u:object_r:rpm_var_lib_t:s0 tclass=file
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1499952619.700:131): avc:  denied  { add_name } for  pid=1175 comm="rhsmcertd-worke" name="__db.001" scontext=system_u:system_r:init_t:s0-s15:c0.c1023 tcontext=system_u:object_r:rpm_var_lib_t:s0 tclass=dir
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1499952619.700:131): avc:  denied  { write } for  pid=1175 comm="rhsmcertd-worke" name="rpm" dev="dm-0" ino=16777290 scontext=system_u:system_r:init_t:s0-s15:c0.c1023 tcontext=system_u:object_r:rpm_var_lib_t:s0 tclass=dir
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

Comment 2 Lukas Vrabec 2017-07-17 12:17:12 UTC

Hi, 

Di you follow these instructions? Because if you switching to MLS you should do restorecon. 

Please try it again with following tutorial: 
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security-Enhanced_Linux/enabling-mls-in-selinux.html

If you have still some issues, feel free to re-open this BZ.

Comment 3 Renaud Métrich 2017-07-17 12:49:38 UTC

I followed the instructions. There is no restorecon command to issue, but the autorelabel.
As written, relabelling occurs during reboot but fails partially.

Comment 4 Lukas Vrabec 2017-07-17 13:39:48 UTC

Okay, 

Could you run fixfiles instead of autorelabel? 

# fixfiles -F onboot

Thanks.

Comment 5 Renaud Métrich 2017-07-17 15:26:48 UTC

This is what I did since I followed the RHEL7 guide.
From the relabelling traces, some invalid context issues appear (see the description).

Comment 6 ruckc@yahoo.com 2017-07-18 00:10:51 UTC

just ran into these today, when trying to test the MLS policies in RHEL 7, versus RHEL 6.  Seems like most of this should be caught before getting released.  Also catches me in kind of a bind, as it appears most of these appear because the scontext isn't getting set correctly.  I'd be tempted to write a module to address these, but allowing permissions to services properly typed is one thing, and improperly typed is quite another.

Comment 7 Lukas Vrabec 2017-09-18 14:38:51 UTC

I tried switch RHEL-7.4 and RHEL-7.3 systems to MLS using: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/SELinux_Users_and_Administrators_Guide/mls.html

Systems are booting fine in Enforcing. 

MLS policy type is too strictly so some AVCs during boot are expected. I prefer close this and use local policy for fixing AVCS.

Comment 10 Milos Malik 2018-02-22 08:22:24 UTC

Messages like "Context unconfined_u:.* is not valid" are expected, because unconfined_u is not defined in MLS policy:

# seinfo -uunconfined_u -x /etc/selinux/targeted/policy/policy.30 
   unconfined_u
      default level: s0
      range: s0 - s0:c0.c1023
      roles:
         object_r
         system_r
         unconfined_r
# seinfo -uunconfined_u -x /etc/selinux/mls/policy/policy.30
ERROR: could not find datum for user unconfined_u
#

Comment 11 Milos Malik 2018-02-22 08:38:41 UTC

After switching to MLS, you can see a lot SELinux denials, because the MLS policy supports only a subset of domains supported in the targeted policy. Of course, this can improve in future.

Comment 12 Milos Malik 2018-02-22 11:25:40 UTC

The documentation cited in comment#0 says:

7. If there were no denial messages in the /var/log/messages file, or you have resolved all existing denials, configure SELINUX=enforcing in the /etc/selinux/config file...

The "if" part of the sentence is not necessary. The "configure ..." part is enough. The machine is able to boot in MLS enforcing even if there are some SELinux denials.

Based on the tests I ran, there are no SELinux denials which contain unlabeled_t.

Comment 15 errata-xmlrpc 2018-04-10 12:34:36 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:0763

Note You need to log in before you can comment on or make changes to this bug.